>Number: 26856
>Category: kern
>Synopsis: pass in ... keep state actually blocks some packets
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Sep 05 15:16:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator: Pave Cahyna
>Release: 2.0_BETA, ipf: IP Filter: v4.1.3 (396), Kernel: IP Filter: v4.1.3
>Organization:
>Environment:
NetBSD pcap 2.0_BETA NetBSD 2.0_BETA (GENERIC_DIAGNOSTIC) #0: Fri Sep 3 10:33:21 CEST 2004 pavel@pc:/mnt/obj/kompilace/jadra/compile/GENERIC_DIAGNOSTIC i386
>Description:
if there is a rule like "pass in on wi1 from 192.168.1.3 to any keep state",
then ping replies from 192.168.1.3 are blocked. (on the firewall, I
run "ping 192.168.1.3", I see with tcpdump that echo requests go out and
echo replies from 192.168.1.3 come in, but ping reports that all the
packets are lost.)
If I change the line to "pass in on wi1 from 192.168.1.3 to any", ping
starts working.
If I remove the line completely, ping also starts working. (My default
is set to pass all.)
If I add the line "pass out on wi1 from 192.168.1.3 to any keep
state", ping also starts working.
This is IMHO wrong, because it violates the principe of least surprise
- one would not expect that adding a "pass" line will block some
packets.
I do not remember seeing it before I upgraded to IPFilter 4.1.3, but
this may be wrong.
>How-To-Repeat:
See above.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted: